FortiGate, Firewall cannot pull users while doing SSL-VPN. It is taken in the group from all other user/groups. The user portal is actually the current users of the portal, Users/group is mapped to the port.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Gumo,
Thank you for reaching out. If you are using forticlient to connect to the vpn at what percentage does the connection fail. Also it is recommended to review config make sure if you are using split-tunnel for your sslvpn portals and have user accounts belonging to different sslvpn user groups that the firewall policy ordering is correct where the top policy on the list with source interface as ssl.root has the right usergroup. If the issue is purely about sslvpn I recommend running sslvpn and fnbamd debugs as well as saml debugs if applicable:
di de reset
di vpn ssl debug-filter src-addr4 x.x.x.x -------- use this command if you want to filter to single connection attempt where x.x.x.x is the public ip or the connecting forticlient agent
di de app sslvpn -1
di de app fnbamd -1
di de app samld -1
di de console time en
di de en
If it is a more general problem with user accounts not pulled properly from for ldap or other authentication servers I recommend providing more details about the issue or open a ticket with support.
Thank you,
saleha
Hello @Gumo ,
Can you check that the user group used for ssl vpn includes the correct users. Also verify the remote authentication( LDAP or RADIUS) server config and users are correctly mapping to that or not.
Hello Gumo,
Please ensure the groups and ou by running dsquery on your AD that are being used as filter.
Also, create one realm and assign it to one group. After that try connecting and run the following debugs while trying to authenticate.
di de application fnbamd -1
di de console timestamp en
di de en
By running the following debugs you will find the reason why it is not matching. For instance, no DN found. Make sure you are using those groups on firewall policies too.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.